Information security incident reporting procedure

Page 1 of 7

Information security incident reporting procedure

Responsible Officer Ben Bennett, Business Planning & Resources Director

Author Julian Lewis,

Governance Manager Date effective from 2009

Date last amended December 2015 Review date December 2018

Version 1.4

Page 2 of 7 Introduction

1. NICE is committed to ensuring effective safeguards are applied to the information it holds. NICE therefore uses the Security Policy Framework (SPF) to ensure compliance with Government-wide standards and protocols for information governance.

2. NICE holds a range of confidential information. This includes personal data relating to its staff and to some of the individuals that it works with. NICE also holds commercial in confidence data, plus information from the Health and Social Care Information Centre (HSCIC) that contains anonymised, but patient identifiable information.

3. Reporting of information security incidents helps NICE maintain a safe and secure working environment. It helps protect the confidentiality, integrity and availability of the information and systems accessed and is important for effective risk management.

4. Managing incidents relating to the security of information is a cyclical process of identification, reporting, investigation, resolution and learning to minimise the risk of re-occurrence.

5. All staff members have a responsibility to report information security incidents whether deliberate or accidental.

6. This procedure outlines the main requirements for incident reporting related to information security events only and is designed to ensure the incident is recorded, the event is properly reviewed, corrective action taken where necessary and to provide clarity over accountability and responsibility for actions.

7. Incidents relating to health & safety should be reported in accordance with the Health & Safety Welfare Manual. Any identified fraud should be reported in accordance with the Counter Fraud and Anti-Bribery Policy.

Information security

8. An information security incident is defined as the exposure of sensitive personal data or confidential information to unacceptable risk. It may include any actual or potential breach of security which may compromise the confidentiality, integrity or availability of information stored, processed and communicated in relation to NICE business whether in hard copy or electronic format. Each potential incident will be risk assessed on a case by case basis.

9. The term information security incident covers a wide range of events which can vary considerably and it is therefore not possible to detail every single event. The following list gives examples of types of security incidents that should be reported:

Page 3 of 7

Type of data Example

Sensitive personal data¹ Risk of accidental or deliberate disclosure of sensitive personal data

e.g. .Applications for committee membership held on a file drive with general staff access

Confidential information including Commercial in Confidence (CiC) and Academic in Confidence (AiC) information

Risk of accidental or deliberate access of confidential information by an unauthorised person.

e.g. 1. CiC information sent to the wrong recipient

e.g. 2. CiC information sent by email without password protection or encryption

Passwords An unauthorised person has gained access to your account or attempted to gain access using your password

e.g. Password/login details left accessible and unsecured to visitors in home worker’s home.

IT security breach Degraded IT system integrity or loss of system availability posing threat to loss of information or disruption of activity

Unauthorised access to data

Physical security breach Unauthorised access to secure areas containing confidential information

e.g. forced access to a locker containing confidential information or sensitive personal data

Theft or loss of portable media Unencrypted laptops or other portable media containing confidential or sensitive personal data lost or stolen

e.g. laptop stolen from car

10. This list is not exhaustive and staff must ensure they report any incident where they have a reasonable belief that there is a risk to the security of sensitive personal data or any confidential information.

Reporting security incidents

11. Incidents should be reported to the Governance Manager and line manager by email. Information on the incident should include a description

1 As defined in Appendix 1

Page 4 of 7 of the data lost or stolen, whether it was held in hard copy or portable media, the quantity (if known), where it was lost and the sensitivity of the data (if known).

12. In addition, all information incidents involving an IT security breach should be reported immediately to the IT Team for corrective active action.

Security incidents that may have an impact on N3² will be reported immediately, by the Associate Director Procurement and IT, to the N3 SP Helpdesk. The Associate Director - Procurement and IT and / or Governance Manager will brief the Business Planning & Resources Director (SIRO) and, if patient information is involved, the Caldicott Guardian.

13. Any incident relating to the confidential information received from the Health and Social Care Information Centre (HSCIC) will be reported to the HSCIC in accordance the conditions set out in the agreement with the HSCIC.

14. Security incidents involving sensitive data should be assessed based on the potential detriment to the individual and / or organisations affected, including possible distress and financial damage together with the volume of data involved.

15. Any IT incident occurring outside secure office premises should be reported immediately to the NICE IT department. The IT department maintains its own system security for portable media and the IT network.

16. The Corporate Office retains a central log of all reported information security incidents. These will be reviewed by the Governance Manager and Associate Director – Corporate Office and escalated via the Business Planning & Resources Director as the Senior Information Risk Owner (SIRO) to SMT and the Audit and Risk Committee as necessary.

17. All incidents escalated to the Audit and Risk Committee should include a top line synopsis of the data involved, the nature of the incident, the immediate actions taken in mitigation, and the lessons learnt to minimise the risk of recurrence.

2 N3 Connectivity is the connection between NICE IT systems and the NHS intranet

Page 5 of 7 Appendix 1

Definition of personal data

1 Personal data is any information:

‘which relate to a living individual who can be identified – (a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual’

2 This definition should be considered in light of the extent to which the data relates to the individual’s privacy in their family life, business or professional capacity.

3 “Sensitive personal data” is information that includes the name of an individual, combined with one or more of the following:

 Bank / financial / credit card details

 National Insurance number / Tax, benefit or pension records

 Passport number / information on immigration status

 Travel details (for example at immigration control, or Oyster records)

 Passport number / information on immigration status / personal (non- NICE) travel records

 Health records

 Work record

 Material related to social services (including child protection) or housing case work

 Conviction / prison / court records / evidence

 Other sensitive data defined by s.2 of the Data Protection Act 1998 including information relating to:

(a) racial or ethnic origin (b) political opinions

(c) religious beliefs or other beliefs of a similar nature (d) membership of a trade union

(e) physical or mental health or condition (f) sex life

(g) the commission or alleged commission by him of any offence (h) any proceedings for any offence committed or alleged to have

been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Page 6 of 7 Appendix 2

Reporting of information security incidents

Minor* Medium Significant

• No material damage to the reputation of the individual or organisation

• Minor breach of confidentiality

• Up to 20 individuals

• Damage to an

individual’s reputation / privacy

• Potentially serious breach

• Over 20 people affected and media not encrypted

• Damage to NICE reputation

• Serious breach of confidentiality or disclosure of sensitive personal data

• OR over 100 people affected

• Report to Corporate Office and Business Planning &

Resources Director

• Report to Corporate Office and Business Planning & Resources Director

• Report to the Audit and Risk Committee

• Report to Audit and Risk Committee

• Report to Board

• Report to the ALB BSU and Senior Departmental Sponsor and / or ICO

*all incidents should be assessed on a case by case basis in light of the potential harm that could be done in each case either to an individual or a third party or to NICE. The Business Planning & Resources Director as the Senior Information Risk Owner (SIRO) retains the discretion to escalate the reporting of an incident to the Audit and Risk Committee or Board.

Page 7 of 7 Appendix A - Version Control Sheet

Version Date Author Replaces Comment

1.3 Julian Lewis

1.4